te.js 2.3.1 → 2.3.2

package/README.md

@@ -161,6 +161,12 @@ app.takeoff();
 // Visit http://localhost:1403/docs
 ```
 
+Docs are disabled in production by default. Set `DOCS_PASSWORD` to enable protected access:
+
+```bash
+DOCS_PASSWORD=my-secret
+```
+
 ## Documentation
 
 For comprehensive documentation, see the [docs folder](./docs) or visit [tejas-documentation.vercel.app](https://usetejas.com).

package/auto-docs/ui/docs-auth.js

@@ -0,0 +1,291 @@
+/**
+ * Password protection for the docs UI. When a password is configured,
+ * visitors must authenticate via a login form before viewing the docs.
+ *
+ * Uses an HMAC-based cookie so no server-side session state is needed.
+ * All comparisons are timing-safe to prevent timing attacks.
+ */
+
+import { createHmac, timingSafeEqual } from 'node:crypto';
+
+const COOKIE_NAME = '_tejs_docs';
+const COOKIE_MAX_AGE = 60 * 60 * 24 * 7; // 7 days
+const HMAC_KEY = 'tejs-docs-auth-v1';
+
+function createToken(password) {
+  return createHmac('sha256', password).update(HMAC_KEY).digest('hex');
+}
+
+/**
+ * Timing-safe password comparison. Both values are HMAC'd first so
+ * the comparison never leaks password length.
+ */
+function verifyPassword(submitted, expected) {
+  const a = createHmac('sha256', HMAC_KEY)
+    .update(String(submitted ?? ''))
+    .digest();
+  const b = createHmac('sha256', HMAC_KEY).update(String(expected)).digest();
+  return timingSafeEqual(a, b);
+}
+
+function parseCookies(header) {
+  if (!header) return {};
+  return Object.fromEntries(
+    header.split(';').map((c) => {
+      const [k, ...v] = c.trim().split('=');
+      return [k.trim(), v.join('=').trim()];
+    }),
+  );
+}
+
+function isAuthenticated(headers, password) {
+  const token = parseCookies(headers?.cookie)[COOKIE_NAME];
+  if (!token) return false;
+  const expected = createToken(password);
+  if (token.length !== expected.length) return false;
+  try {
+    return timingSafeEqual(Buffer.from(token), Buffer.from(expected));
+  } catch {
+    return false;
+  }
+}
+
+function setAuthCookie(res, password) {
+  const token = createToken(password);
+  res.setHeader(
+    'Set-Cookie',
+    `${COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${COOKIE_MAX_AGE}`,
+  );
+}
+
+function buildLoginPage(error = null) {
+  const errorHtml = error ? `<div class="error">${error}</div>` : '';
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>API Documentation</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+      background: #0f0f11;
+      color: #e4e4e7;
+    }
+    .card {
+      width: 100%;
+      max-width: 380px;
+      padding: 40px 32px;
+      background: #18181b;
+      border: 1px solid #27272a;
+      border-radius: 16px;
+    }
+    .icon {
+      width: 48px;
+      height: 48px;
+      margin: 0 auto 24px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      background: #27272a;
+      border-radius: 12px;
+    }
+    .icon svg { width: 24px; height: 24px; color: #a1a1aa; }
+    h1 {
+      font-size: 20px;
+      font-weight: 600;
+      text-align: center;
+      margin-bottom: 6px;
+      color: #fafafa;
+    }
+    .subtitle {
+      font-size: 14px;
+      text-align: center;
+      color: #71717a;
+      margin-bottom: 28px;
+    }
+    .error {
+      background: #371520;
+      border: 1px solid #5c1d33;
+      color: #fca5a5;
+      font-size: 13px;
+      padding: 10px 14px;
+      border-radius: 8px;
+      margin-bottom: 20px;
+    }
+    label {
+      display: block;
+      font-size: 13px;
+      font-weight: 500;
+      color: #a1a1aa;
+      margin-bottom: 6px;
+    }
+    input[type="password"] {
+      width: 100%;
+      padding: 10px 14px;
+      font-size: 14px;
+      background: #09090b;
+      border: 1px solid #27272a;
+      border-radius: 8px;
+      color: #fafafa;
+      outline: none;
+      transition: border-color 0.15s;
+    }
+    input[type="password"]:focus {
+      border-color: #3b82f6;
+      box-shadow: 0 0 0 3px rgba(59, 130, 246, 0.15);
+    }
+    input[type="password"]::placeholder { color: #52525b; }
+    button {
+      width: 100%;
+      margin-top: 18px;
+      padding: 10px 0;
+      font-size: 14px;
+      font-weight: 500;
+      color: #fff;
+      background: #2563eb;
+      border: none;
+      border-radius: 8px;
+      cursor: pointer;
+      transition: background 0.15s;
+    }
+    button:hover { background: #1d4ed8; }
+    button:active { background: #1e40af; }
+  </style>
+</head>
+<body>
+  <form class="card" method="POST">
+    <div class="icon">
+      <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+        <path stroke-linecap="round" stroke-linejoin="round" d="M16.5 10.5V6.75a4.5 4.5 0 1 0-9 0v3.75m-.75 11.25h10.5a2.25 2.25 0 0 0 2.25-2.25v-6.75a2.25 2.25 0 0 0-2.25-2.25H6.75a2.25 2.25 0 0 0-2.25 2.25v6.75a2.25 2.25 0 0 0 2.25 2.25Z" />
+      </svg>
+    </div>
+    <h1>API Documentation</h1>
+    <p class="subtitle">Enter the password to continue</p>
+    ${errorHtml}
+    <label for="password">Password</label>
+    <input type="password" id="password" name="password" placeholder="Enter password" required autofocus />
+    <button type="submit">Continue</button>
+  </form>
+</body>
+</html>`;
+}
+
+const DOCS_URL = 'https://usetejas.com/docs/auto-docs';
+
+function buildSetupPage() {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>API Documentation</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+      background: #0f0f11;
+      color: #e4e4e7;
+    }
+    .card {
+      width: 100%;
+      max-width: 460px;
+      padding: 40px 32px;
+      background: #18181b;
+      border: 1px solid #27272a;
+      border-radius: 16px;
+    }
+    .icon {
+      width: 48px;
+      height: 48px;
+      margin: 0 auto 24px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      background: #27272a;
+      border-radius: 12px;
+    }
+    .icon svg { width: 24px; height: 24px; color: #eab308; }
+    h1 {
+      font-size: 20px;
+      font-weight: 600;
+      text-align: center;
+      margin-bottom: 6px;
+      color: #fafafa;
+    }
+    .subtitle {
+      font-size: 14px;
+      text-align: center;
+      color: #71717a;
+      margin-bottom: 28px;
+      line-height: 1.5;
+    }
+    .code-block {
+      background: #09090b;
+      border: 1px solid #27272a;
+      border-radius: 8px;
+      padding: 14px 16px;
+      font-family: 'SF Mono', Monaco, 'Cascadia Code', 'Roboto Mono', Consolas, monospace;
+      font-size: 13px;
+      color: #a1a1aa;
+      margin-bottom: 20px;
+      overflow-x: auto;
+    }
+    .code-block .env-key { color: #22d3ee; }
+    .code-block .env-val { color: #a78bfa; }
+    .hint {
+      font-size: 13px;
+      color: #71717a;
+      text-align: center;
+      line-height: 1.5;
+    }
+    .hint a {
+      color: #3b82f6;
+      text-decoration: none;
+    }
+    .hint a:hover { text-decoration: underline; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="icon">
+      <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor">
+        <path stroke-linecap="round" stroke-linejoin="round" d="M12 9v3.75m-9.303 3.376c-.866 1.5.217 3.374 1.948 3.374h14.71c1.73 0 2.813-1.874 1.948-3.374L13.949 3.378c-.866-1.5-3.032-1.5-3.898 0L2.697 16.126ZM12 15.75h.007v.008H12v-.008Z" />
+      </svg>
+    </div>
+    <h1>API Docs Disabled</h1>
+    <p class="subtitle">A password is required to serve API documentation in production. Set the <strong>DOCS_PASSWORD</strong> environment variable to enable access.</p>
+    <div class="code-block"><span class="env-key">DOCS_PASSWORD</span>=<span class="env-val">your-secret-here</span></div>
+    <p class="hint">Learn more about <a href="${DOCS_URL}" target="_blank" rel="noopener">serving and protecting API docs</a></p>
+  </div>
+</body>
+</html>`;
+}
+
+/**
+ * Returns true when docs should be disabled without a password:
+ * NODE_ENV is unset or set to 'production'.
+ */
+function requiresPasswordForEnv() {
+  const env = process.env.NODE_ENV;
+  return !env || env === 'production';
+}
+
+export {
+  isAuthenticated,
+  setAuthCookie,
+  verifyPassword,
+  buildLoginPage,
+  buildSetupPage,
+  requiresPasswordForEnv,
+};

package/auto-docs/ui/docs-ui.js

@@ -9,6 +9,32 @@
 
 import Endpoint from '../../server/endpoint.js';
 import targetRegistry from '../../server/targets/registry.js';
+import {
+  isAuthenticated,
+  setAuthCookie,
+  verifyPassword,
+  buildLoginPage,
+  buildSetupPage,
+  requiresPasswordForEnv,
+} from './docs-auth.js';
+
+/**
+ * Write an HTML response directly, bypassing ammo.fire so the response
+ * envelope (when enabled) does not wrap the HTML in JSON.
+ */
+function sendHtml(res, statusCode, html) {
+  res.writeHead(statusCode, { 'Content-Type': 'text/html' });
+  res.end(html);
+}
+
+/**
+ * Write a JSON response directly, bypassing ammo.fire so the response
+ * envelope does not wrap internal docs responses.
+ */
+function sendJson(res, statusCode, data) {
+  res.writeHead(statusCode, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(data));
+}
 
 /** Scalar API Reference browser standalone (IIFE, sets window.Scalar). Pinned for stability. */
 const SCALAR_VERSION = '1.46.0';
@@ -98,38 +124,98 @@ function buildDocsPage(specUrl, scalarConfig = {}) {
 
 /**
  * Create endpoint that serves the docs HTML page at GET docsPath.
+ *
+ * Three modes:
+ * - **password set** → login form for unauthenticated visitors, POST to verify
+ * - **no password, production/missing NODE_ENV** → setup page urging developer to set DOCS_PASSWORD
+ * - **no password, development** → open access
+ *
  * @param {string} docsPath - e.g. '/docs'
  * @param {string} htmlContent - Full HTML document
+ * @param {string|null} [password] - Optional password to protect docs
  * @returns {Endpoint}
  */
-function createDocsHtmlEndpoint(docsPath, htmlContent) {
+function createDocsHtmlEndpoint(docsPath, htmlContent, password) {
   const endpoint = new Endpoint();
   endpoint.setPath('', docsPath);
   endpoint.setMiddlewares([]);
+
+  if (password) {
+    const loginPage = buildLoginPage();
+    const loginError = buildLoginPage('Incorrect password');
+
+    endpoint.setHandler((ammo) => {
+      if (!ammo.GET && !ammo.POST) return ammo.notAllowed('GET', 'POST');
+
+      if (ammo.POST) {
+        if (verifyPassword(ammo.payload?.password, password)) {
+          setAuthCookie(ammo.res, password);
+          return ammo.redirect(docsPath);
+        }
+        sendHtml(ammo.res, 401, loginError);
+        return;
+      }
+
+      if (isAuthenticated(ammo.headers, password)) {
+        sendHtml(ammo.res, 200, htmlContent);
+      } else {
+        sendHtml(ammo.res, 200, loginPage);
+      }
+    });
+    return endpoint;
+  }
+
+  if (requiresPasswordForEnv()) {
+    const setupPage = buildSetupPage();
+    endpoint.setHandler((ammo) => {
+      if (!ammo.GET) return ammo.notAllowed();
+      sendHtml(ammo.res, 403, setupPage);
+    });
+    return endpoint;
+  }
+
   endpoint.setHandler((ammo) => {
     if (!ammo.GET) return ammo.notAllowed();
-    ammo.fire(200, htmlContent, 'text/html');
+    sendHtml(ammo.res, 200, htmlContent);
   });
   return endpoint;
 }
 
 /**
  * Create endpoint that serves the OpenAPI spec JSON at GET specPath.
+ * Returns 401 for unauthenticated requests when a password is set,
+ * or 403 when docs are disabled (production without DOCS_PASSWORD).
  * @param {string} specPath - e.g. '/docs/openapi.json'
  * @param {() => object | Promise<object>} getSpec - Function that returns the current spec
+ * @param {string|null} [password] - Optional password to protect docs
  * @returns {Endpoint}
  */
-function createSpecJsonEndpoint(specPath, getSpec) {
+function createSpecJsonEndpoint(specPath, getSpec, password) {
   const endpoint = new Endpoint();
   endpoint.setPath('', specPath);
   endpoint.setMiddlewares([]);
+
+  if (!password && requiresPasswordForEnv()) {
+    endpoint.setHandler((ammo) => {
+      if (!ammo.GET) return ammo.notAllowed();
+      sendJson(ammo.res, 403, {
+        error: 'Docs disabled. Set the DOCS_PASSWORD environment variable.',
+      });
+    });
+    return endpoint;
+  }
+
   endpoint.setHandler(async (ammo) => {
     if (!ammo.GET) return ammo.notAllowed();
+    if (password && !isAuthenticated(ammo.headers, password)) {
+      sendJson(ammo.res, 401, { error: 'Unauthorized' });
+      return;
+    }
     try {
       const spec = await Promise.resolve(getSpec());
-      ammo.fire(200, spec);
+      sendJson(ammo.res, 200, spec);
     } catch (err) {
-      ammo.fire(500, {
+      sendJson(ammo.res, 500, {
         error: 'Failed to generate OpenAPI spec',
         message: err?.message,
       });
@@ -147,6 +233,7 @@ function createSpecJsonEndpoint(specPath, getSpec) {
  * @param {string} [options.docsPath='/docs'] - Base path for docs (HTML page and spec URL). Routes: GET {docsPath}, GET {docsPath}/openapi.json.
  * @param {string} [options.specUrl] - Override for the spec URL shown in the docs page (default: '{docsPath}/openapi.json'). Use when serving behind a proxy with a different base path.
  * @param {object} [options.scalarConfig] - Optional Scalar API Reference config (e.g. { layout: 'classic' } for try-it on the same page).
+ * @param {string|null} [options.password] - Optional password to protect docs behind a login form. When set, unauthenticated visitors see a password prompt.
  * @param {boolean} [options.mutateRegistry=true] - If true, push endpoints to registry. If false, return [docsEndpoint, specEndpoint] without mutating.
  * @param {object} [registry] - Target registry to register routes on when mutateRegistry is true. Defaults to the module's targetRegistry.
  * @returns {undefined | [Endpoint, Endpoint]} When mutateRegistry is false, returns the two endpoints for the caller to register.
@@ -157,6 +244,7 @@ export function registerDocRoutes(options = {}, registry = targetRegistry) {
     docsPath = '/docs',
     specUrl: specUrlOption,
     scalarConfig,
+    password = null,
     mutateRegistry = true,
   } = options;
 
@@ -171,8 +259,8 @@ export function registerDocRoutes(options = {}, registry = targetRegistry) {
   const specPath = `${basePath}/openapi.json`;
   const htmlContent = buildDocsPage(specUrl, scalarConfig);
 
-  const docsEndpoint = createDocsHtmlEndpoint(docsPath, htmlContent);
-  const specEndpoint = createSpecJsonEndpoint(specPath, getSpec);
+  const docsEndpoint = createDocsHtmlEndpoint(docsPath, htmlContent, password);
+  const specEndpoint = createSpecJsonEndpoint(specPath, getSpec, password);
 
   if (mutateRegistry) {
     registry.targets.push(docsEndpoint);

package/docs/api-reference.md

@@ -70,7 +70,7 @@ app.withRateLimit({
 
 #### serveDocs(config)
 
-Serve an interactive API documentation UI (Scalar) from a pre-generated OpenAPI spec.
+Serve an interactive API documentation UI (Scalar) from a pre-generated OpenAPI spec. Optionally password-protected.
 
 ```javascript
 app.serveDocs({
@@ -79,12 +79,13 @@ app.serveDocs({
 });
 ```
 
-| Option         | Type   | Default            | Description                     |
-| -------------- | ------ | ------------------ | ------------------------------- |
-| `specPath`     | string | `'./openapi.json'` | Path to the OpenAPI spec file   |
-| `scalarConfig` | object | _(defaults)_       | Scalar UI configuration options |
+| Option         | Type   | Default             | Description                                                                         |
+| -------------- | ------ | ------------------- | ----------------------------------------------------------------------------------- |
+| `specPath`     | string | `'./openapi.json'`  | Path to the OpenAPI spec file                                                       |
+| `password`     | string | `DOCS_PASSWORD` env | Password to protect docs behind a login form. Falls back to `DOCS_PASSWORD` env var |
+| `scalarConfig` | object | _(defaults)_        | Scalar UI configuration options                                                     |
 
-Registers `GET /docs` (HTML UI) and `GET /docs/openapi.json` (spec JSON).
+Registers `GET /docs` (HTML UI) and `GET /docs/openapi.json` (spec JSON). In production (or when `NODE_ENV` is unset), docs are **disabled** unless a password is configured. In development, docs are open by default. When a password is set, unauthenticated visitors see a login form.
 
 **Returns:** `Tejas` (for chaining)
 

package/docs/auto-docs.md

@@ -32,11 +32,11 @@ Target files → Handler analysis → LLM enhancement → OpenAPI 3.0 spec → S
 
 The `level` option controls how much context the LLM receives and how much work it does:
 
-| Level | Name | Context Sent to LLM | Output |
-|-------|------|---------------------|--------|
-| **1** | Moderate | Handler source code only (~hundreds of tokens per endpoint) | Summaries, schemas, tags |
-| **2** | High | Handler + full dependency chain from imports (~thousands of tokens per endpoint) | More accurate schemas and descriptions |
-| **3** | Comprehensive | Same as level 2, plus post-processing | Everything from level 2, plus: reordered tags by importance, `API_OVERVIEW.md` page |
+| Level | Name          | Context Sent to LLM                                                              | Output                                                                              |
+| ----- | ------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
+| **1** | Moderate      | Handler source code only (~hundreds of tokens per endpoint)                      | Summaries, schemas, tags                                                            |
+| **2** | High          | Handler + full dependency chain from imports (~thousands of tokens per endpoint) | More accurate schemas and descriptions                                              |
+| **3** | Comprehensive | Same as level 2, plus post-processing                                            | Everything from level 2, plus: reordered tags by importance, `API_OVERVIEW.md` page |
 
 Higher levels produce better documentation but use more LLM tokens.
 
@@ -47,24 +47,28 @@ You can provide explicit metadata when registering endpoints. This metadata is u
 ```javascript
 const users = new Target('/users');
 
-users.register('/', {
-  summary: 'User operations',
-  description: 'Create and list users',
-  methods: ['GET', 'POST'],
-  request: {
-    name: { type: 'string', required: true },
-    email: { type: 'string', required: true }
+users.register(
+  '/',
+  {
+    summary: 'User operations',
+    description: 'Create and list users',
+    methods: ['GET', 'POST'],
+    request: {
+      name: { type: 'string', required: true },
+      email: { type: 'string', required: true },
+    },
+    response: {
+      200: { description: 'Success' },
+      201: { description: 'User created' },
+      400: { description: 'Validation error' },
+    },
   },
-  response: {
-    200: { description: 'Success' },
-    201: { description: 'User created' },
-    400: { description: 'Validation error' }
-  }
-}, (ammo) => {
-  if (ammo.GET) return ammo.fire(userService.list());
-  if (ammo.POST) return ammo.fire(201, userService.create(ammo.payload));
-  ammo.notAllowed();
-});
+  (ammo) => {
+    if (ammo.GET) return ammo.fire(userService.list());
+    if (ammo.POST) return ammo.fire(201, userService.create(ammo.payload));
+    ammo.notAllowed();
+  },
+);
 ```
 
 The metadata object is optional. When omitted, the LLM infers everything from the handler source.
@@ -134,17 +138,17 @@ All options live under the `docs` key in `tejas.config.json`:
 }
 ```
 
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| `dirTargets` | string | `"targets"` | Directory containing `.target.js` files |
-| `output` | string | `"./openapi.json"` | Output file path for the generated spec |
-| `title` | string | `"API"` | API title in the OpenAPI `info` block |
-| `version` | string | `"1.0.0"` | API version in the OpenAPI `info` block |
-| `description` | string | `""` | API description |
-| `level` | number | `1` | Enhancement level (1–3) |
-| `llm` | object | — | LLM provider configuration (see above) |
-| `overviewPath` | string | `"./API_OVERVIEW.md"` | Path for the generated overview page (level 3 only) |
-| `productionBranch` | string | `"main"` | Branch that triggers `docs:on-push` |
+| Key                | Type   | Default               | Description                                         |
+| ------------------ | ------ | --------------------- | --------------------------------------------------- |
+| `dirTargets`       | string | `"targets"`           | Directory containing `.target.js` files             |
+| `output`           | string | `"./openapi.json"`    | Output file path for the generated spec             |
+| `title`            | string | `"API"`               | API title in the OpenAPI `info` block               |
+| `version`          | string | `"1.0.0"`             | API version in the OpenAPI `info` block             |
+| `description`      | string | `""`                  | API description                                     |
+| `level`            | number | `1`                   | Enhancement level (1–3)                             |
+| `llm`              | object | —                     | LLM provider configuration (see above)              |
+| `overviewPath`     | string | `"./API_OVERVIEW.md"` | Path for the generated overview page (level 3 only) |
+| `productionBranch` | string | `"main"`              | Branch that triggers `docs:on-push`                 |
 
 ## Serving API Docs
 
@@ -162,34 +166,71 @@ app.takeoff();
 
 This registers two routes:
 
-| Route | Description |
-|-------|-------------|
-| `GET /docs` | Interactive Scalar API reference UI |
-| `GET /docs/openapi.json` | Raw OpenAPI spec JSON |
+| Route                    | Description                         |
+| ------------------------ | ----------------------------------- |
+| `GET /docs`              | Interactive Scalar API reference UI |
+| `GET /docs/openapi.json` | Raw OpenAPI spec JSON               |
 
 ### serveDocs Options
 
 ```javascript
 app.serveDocs({
-  specPath: './openapi.json',   // Path to the spec file (relative to cwd)
-  scalarConfig: {               // Scalar UI configuration
-    layout: 'modern',          // 'modern' or 'classic'
+  specPath: './openapi.json', // Path to the spec file (relative to cwd)
+  password: 'my-secret', // Optional: protect docs with a password
+  scalarConfig: {
+    // Scalar UI configuration
+    layout: 'modern', // 'modern' or 'classic'
     theme: 'default',
     showSidebar: true,
-    hideTestRequestButton: false
-  }
+    hideTestRequestButton: false,
+  },
 });
 ```
 
+| Option         | Type   | Default             | Description                                                                           |
+| -------------- | ------ | ------------------- | ------------------------------------------------------------------------------------- |
+| `specPath`     | string | `'./openapi.json'`  | Path to the OpenAPI spec file (relative to cwd)                                       |
+| `password`     | string | `DOCS_PASSWORD` env | Password to protect docs. Falls back to `DOCS_PASSWORD` env var. Omit for open access |
+| `scalarConfig` | object | _(defaults)_        | Scalar UI configuration options                                                       |
+
 See the [Scalar configuration reference](https://scalar.com/products/api-references/configuration) for all available UI options.
 
+### Password Protection
+
+API docs reveal your entire endpoint surface — every route, parameter, and response schema. Tejas protects you by default:
+
+**In production** (or when `NODE_ENV` is not set), docs are **disabled** unless a password is configured. Visitors see a setup page directing them to set `DOCS_PASSWORD`.
+
+**In development** (`NODE_ENV=development`), docs are open without a password for convenience.
+
+To enable docs in production, set the `DOCS_PASSWORD` environment variable:
+
+```bash
+DOCS_PASSWORD=my-secret
+```
+
+That's it — no code changes required. When the env var is set, visitors to `/docs` see a password form. After entering the correct password, a cookie-based session grants access for 7 days. Both `/docs` and `/docs/openapi.json` are protected.
+
+You can also pass the password explicitly:
+
+```javascript
+app.serveDocs({ password: process.env.DOCS_PASSWORD });
+```
+
+| Environment        | Password Set | Behavior                             |
+| ------------------ | ------------ | ------------------------------------ |
+| development        | No           | Docs open (no auth)                  |
+| development        | Yes          | Login form required                  |
+| production / unset | No           | **Docs disabled** (setup page shown) |
+| production / unset | Yes          | Login form required                  |
+
 ## CLI Commands
 
-| Command | Description |
-|---------|-------------|
-| `tejas generate:docs` | Interactive OpenAPI generation |
-| `tejas generate:docs --ci` | Non-interactive mode (for CI/CD) |
-| `tejas docs:on-push` | Generate docs when pushing to production branch |
+| Command                    | Description                                     |
+| -------------------------- | ----------------------------------------------- |
+| `tejas generate:docs`      | Interactive OpenAPI generation                  |
+| `tejas generate:docs --ci` | Non-interactive mode (for CI/CD)                |
+| `tejas docs:on-push`       | Generate docs when pushing to production branch |
 
 See the [CLI Reference](./cli.md) for full details.
 
@@ -213,4 +254,3 @@ npx tejas generate:docs
 - [CLI Reference](./cli.md) — Detailed CLI command documentation
 - [Configuration](./configuration.md) — Full framework configuration reference
 - [Routing](./routing.md) — Learn about endpoint metadata
-

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "te.js",
-  "version": "2.3.1",
+  "version": "2.3.2",
   "description": "AI Native Node.js Framework",
   "type": "module",
   "main": "te.js",

package/te.js

@@ -468,11 +468,13 @@ class Tejas {
    * @param {Object} [config] - Configuration
    * @param {string} [config.specPath='./openapi.json'] - Path to the OpenAPI spec JSON file (relative to process.cwd())
    * @param {object} [config.scalarConfig] - Optional Scalar API Reference config (e.g. { layout: 'modern' } for dialog try-it)
+   * @param {string} [config.password] - Optional password to protect docs. Falls back to DOCS_PASSWORD env var. When set, visitors must authenticate via a login form.
    * @returns {Tejas} The Tejas instance for chaining
    *
    * @example
    * app.serveDocs({ specPath: './openapi.json' });
    * app.serveDocs({ specPath: './openapi.json', scalarConfig: { layout: 'modern' } });
+   * app.serveDocs({ password: process.env.DOCS_PASSWORD });
    * app.takeoff();
    */
   serveDocs(config = {}) {
@@ -481,12 +483,13 @@ class Tejas {
       config.specPath || './openapi.json',
     );
     const { scalarConfig } = config;
+    const password = config.password ?? process.env.DOCS_PASSWORD ?? null;
     const getSpec = async () => {
       const content = await readFile(specPath, 'utf8');
       return JSON.parse(content);
     };
     registerDocRoutes(
-      { getSpec, specUrl: '/docs/openapi.json', scalarConfig },
+      { getSpec, specUrl: '/docs/openapi.json', scalarConfig, password },
       targetRegistry,
     );
     return this;